The Conflict Between Privacy and Scientific Research in the GDPR

Abstract

One of the most important goals of the General Data Protection Regulation (GDPR) is to protect the data subject's privacy in the online environment where there is a significant imbalance between the users and the data controllers. To achieve this goal, the GDPR requires stronger consent to protect the data subjects and introduced new rights, such as the right to be forgotten and data portability. The new and stronger rights in the earlier drafts of the GDPR would have significantly restricted the data processing activities not just for the online services (e.g., Google, Facebook, Twitter), but for all the other data controllers. Furthermore, the planned strict rules could have been a considerable burden, especially for the entities processing sensitive data, such as research institutes and pharmaceutical companies. It became clear at the later stages of the drafting period that the new rules aiming at the online environment could also hamper the scientific research and technological developments. The analysis of large datasets (big data) seemed also challenging by the earlier drafts of the GDPR. A compromise was necessary between the data subject's new and stronger rights and the researchers' interests if the EU did not want to fall back with the innovation, especially in the field of technological developments and biomedical research. These reasons led to the involvement of pseudonymisation, statistical and scientific research exemptions in the final version of the GDPR.